Micro-Segmentation Hub

What is Micro-Segmentation

Micro-segmentation is an emerging security best practice that offers a number of advantages over more established approaches like network segmentation and application segmentation. The added granularity that microsegmentation offers is essential at a time when many organizations are adopting cloud services and new deployment options like containers that make traditional perimeter security less relevant. 

Infrastructure visualization plays an essential role in the development of a sound microsegmentation strategy. When it’s done well, visualization makes both sanctioned and unsanctioned activity in the environment easier for IT teams to identify and understand.

This added visibility enables IT teams to define and fine-tune microsegmentation policies that can both alert on and blocked un-sanctioned activity. Micro-segmentation policies can take many forms, including controls based on environment type, regulatory scope, application, and infrastructure tier. Micro-segmentation also makes it possible to apply the principle of least privilege more extensively in data center and cloud environments, providing a more effective defense posture than traditional network-layer controls alone.

It’s important to select a microsegmentation approach that works consistently across cloud providers. By decoupling security from the cloud infrastructure provider, organizations can prevent vendor lock-in from driving costs up and avoid unnecessary complexity when mergers and acquisitions create mixed cloud environments.

When comparing microsegmentation vendors, keep in mind the differentiating elements that separate the decent solutions from the truly superior technology – with features like flexible policy creation and complementary capabilities such as breach detection. This will facilitate your implementation process and help you more easily see quick wins right from the beginning.

When implementing microsegmentation, it’s important to select a future-proof approach that can be applied to emerging deployment models like containers in addition to standard cloud instances, virtual machines, and bare-metal servers.

Micro-segmentation is a new concept to many, but it is becoming an increasingly important tool for IT teams challenged with keeping security policies and compliance in step with the rapid rate of change in today’s dynamic data center, cloud, and hybrid cloud environments.

Application Segmentation

As cloud usage expands and the pace of application deployments and updates accelerates, many security teams are increasing their focus on application segmentation. There are multiple approaches to application segmentation, which can lead to confusion as security teams compare traditional application segmentation techniques with newer approaches like microsegmentation.

Application segmentation often includes a blend of intra-application segmentation and isolation of application clusters from the rest of the IT infrastructure. Both techniques provide security value in different ways. However, traditional application segmentation approaches rely primarily on Layer 4 controls, which are becoming less effective and more difficult to manage as environments and application deployment processes become more dynamic.

Micro-segmentation technologies offer security teams a more effective approach to application segmentation by providing a detailed visual representation of the environment, along with a more granular set of policy controls. The most effective microsegmentation technologies take an application-centric approach that extends to Layer 7. Visibility and control at the individual process level makes application segmentation more effective and easier to manage. Sanctioned activity can be governed with highly specific policies that are not affected by IP address spoofing or attempts to execute attacks over allowed ports.

As hybrid-cloud environments and fast-moving DevOps processes become the norm, application segmentation is more important – and more challenging – than ever. Using application-centric microsegmentation to perform application segmentation ensures that security visibility and policy controls keep pace with rapid changes to both the environment and the applications running in it.

Policy Enforcement Essentials for your Micro-Segmentation Strategy Policy

Network policy enforcement is the set of rules that you place over your IT environment to ensure you have control over access and communication. This could be as simple as keeping production and development separate from one another to avoid human error. More specific policy enforcement rules can help with compliance needs, such as keeping your CDE isolated so that the rest of your network remains out of scope for PCI DSS compliance.

Data center policy engines have traditionally been inflexible, relying on strict, all or nothing approaches, or global deny lists without the ability to form exceptions. As workloads become increasingly dynamic, and more and more businesses are embracing the hybrid cloud – flexible policy engines are a must-have. These allow for autoscaling, policies that follow the workloads, and policy creation that is not platform-dependent.

The process of policy creation begins with having strong awareness of both your business and your security objectives. There’s a balance to be found with microsegmentation policy. Too strong, and you might end up with an inflexible environment that makes it tough for staff to work freely and with autonomy. Too weak, and you’re left with an attack surface that’s dangerously large.

Accessing a full real-time map of your IT environment can give you insight into how and where segmentation policy should be placed. Choosing a solution that can enforce policy up to Layer 7, not the traditional Layer 4 can give you even greater security benefits. Even if your perimeter is breached, the right policies in place can stop or divert an attacker, who will be unable to make lateral moves across your network.

Micro-Segmentation and Application Discovery – Gaining Context for Accurate Action

The infrastructure and techniques used to deliver applications are undergoing a significant transformation, which is making it more challenging than ever for IT and security teams to maintain both point-in-time and historical awareness of all application activity. Achieving the best possible security protection, compliance posture, and application performance levels is only possible through an application discovery process that spans all of an organization’s environments and application delivery technologies.

An effective application discovery process includes four essential elements.
The first element is data collection. A variety of agent- and network-based techniques can be used to collect detailed information about application activity across both on-premises and cloud environments. Both provide significant value, but agent-based collection is particularly critical, as it enables the collection of richer Layer 7 detail.

Raw data on its own is of limited value without context, so the second key element of application discovery is organization and labeling. Solutions like Guardicore Centra streamline this process by interfacing with existing data sources and employing other methods of automation.

The third step to effective application discovery is visualization. Visualization brings the contextualized data together into an adaptable, visual interface that is relevant to the security team and other application stakeholders. Real-time and historical views of application activity each serve distinct purposes, so it’s important to implement a visualization approach that can support both types of data.

The fourth and final critical element of an application discovery approach is a clear and intuitive method of taking action based on the insights gained through greater application visibility. This is the strategic point of intersection between application discovery and microsegmentation.

Benefits of Micro-Segmentation

As IT infrastructure become more dynamic and new deployment approaches like cloud infrastructure and containers assume more prominent roles, the value of traditional perimeter-focused security is greatly diminished. Instead, there is a growing need for IT teams to enhance their ability to detect and prevent lateral movement among heterogeneous data center and cloud assets. Micro-segmentation with Layer 7 granularity provides several key benefits to organizations facing this challenge.

Implementing microsegmentation greatly reduces the attack surface in environments with a diverse set of deployment models and a high rate of change. Even as DevOps-style application development and deployment processes bring frequent changes, a microsegmentation platform can provide ongoing visibility and ensure that security policies keep pace as applications are added and updated.
Even with proactive measures in place to reduce the attack surface, occasional breaches are inevitable. Fortunately, microsegmentation also significantly improves organizations’ ability to detect and contain breaches quickly. This includes the ability to generate real-time alerts when policy violations are detected and actively block attempts to use compromised assets as launch points for lateral movement.

Another key benefit of microsegmentation is that it helps organizations strengthen their regulatory compliance posture, even as they begin using cloud services more broadly. Segments of the infrastructure containing regulated data can be isolated, compliant usage can be tightly enforced, and audits are greatly simplified.

The benefits of microsegmentation are maximized when the approach is integrated with an organization’s broader infrastructure, such as orchestration tools. It’s also essential to select a microsegmentation approach that works across physical servers, virtual machines, and multiple cloud providers for maximum effectiveness and flexibility.

Lateral Movement Security

While IT security teams often devote significant attention to perimeter protection, east-west traffic is outgrowing north-south traffic in both volume and strategic importance. This is driven by such factors as changes in data center scaling approaches, new big data analysis needs, and growing use of cloud services with a less defined perimeter. It’s more important than ever for IT security teams to develop their capabilities to prevent lateral movement in these types of environments.

Lateral movement is the set of steps that attackers who have gained a foothold in a trusted environment take to expand their level of access, move to additional trusted assets, and further advance in the direction of their ultimate target. It’s difficult to detect, as it often blends in with the large volume of similar legitimate east-west traffic in the environment.

Organizations can begin to approach this problem using testing tools, including Guardicore’s free Infection Monkey tool. This will help identify and remediate existing weakness.

There are also more sophisticated techniques that organizations can implement to improve lateral movement security. For example, Guardicore Centra can provide ongoing and historical visibility of all east-west traffic and empower IT teams to use this insight to create proactive policies to prevent lateral movement.

Centra also offers additional capabilities that can help IT security teams detect and contain lateral movement, including:
Blocking actions and alerts based on reputation data from the Guardicore Global Sensor Network (GSSN)
Redirecting failed attempts at lateral movement to a high-interaction deception engine that records attacker behavior for further analysis.

Reduce Attack Surface

While the shift from traditional on-premises data centers to cloud and hybrid cloud models has unlocked many new business benefits, it has also significantly increased the size of the attack surface that security teams must defend. This challenge is compounded by accelerating pace of infrastructure change and the more dynamic application deployment models that many organizations are adopting.

While many existing attack surface reduction techniques, such as system hardening, vulnerability management, access controls, and network segmentation, remain relevant as cloud platforms usage grows, security teams seeking to reduce attack surface can benefit from greater visibility and more granular policy controls that can be applied consistently from the data center to the cloud.

Visualizing the attack surface in detail makes it much more practical to develop strategies for reducing its size. A detailed visual representation of all applications and their dependencies, along the underlying infrastructure that supports them, makes it easier for security teams to assess their level of exposure and uncover indicators of compromise.

These insights can then be used to develop microsegmentation policies that govern application activity with process-level granularity. This level of control makes it possible to align security policies with application logic and implement a zero-trust environments in which only sanctioned application activity can successfully execute.

As the transition to hybrid cloud models progresses, it is easy for organizations to overlook the extent to which this change magnifies the size of their attack surface. New physical environments, platforms, and application deployment methods create many new areas of potential exposure. To effectively reduce attack surface in hybrid cloud environments, a microsegmentation solution must apply policies consistently across disparate data center and cloud environments and a mix of operating systems and deployment models.

Secure Critical Applications

Today’s information security teams face two major trends that make it more challenging than ever to secure critical applications. The first is that IT infrastructure is evolving rapidly and continuously. The second is that attackers are growing more targeted and sophisticated over time. 

Implementing a sound microsegmentation approach is one of the best steps that security teams can take to gain greater infrastructure visibility and secure critical applications, as it:

  • Delivers process-level granularity that aligns security policies with application logic
  • Enables security policies to the implemented consistently from the data center to the cloud
  • Provides consistent security across different underlying platforms               

This power and flexibility is helpful to any organization considering how to best protect high-value targets like domain controllers, privileged access management systems, and jump servers. It’s also invaluable as organizations adopt cloud services and new application deployment approaches like containers.

Micro-segmentation can also play an important role in securing key vertical-specific applications, including healthcare applications containing protected health information (PHI), financial services applications that are subject to PCI DSS and other regulations, legal applications with client confidentiality implications, and many others. The additional policy granularity that microsegmentation provides makes it easier to create security boundaries around sensitive or regulated data, even when it spans multiple environments and platforms. The added visibility that microsegmentation provides is also extremely valuable during the regulatory audit process.

While IT infrastructure evolution creates new challenges for security teams, decoupling security visibility and policy controls from the underlying infrastructure ensures that critical applications can be secured effectively in heterogeneous environments with a high rate of change.

Micro-Segmentation Methods

Micro-segmentation is an essential capability for organizations tasked with securing fast-evolving data center, cloud, and hybrid cloud IT infrastructure. However, the power and flexibility that microsegmentation offers can make it challenging to identify the optimal mix of microsegmentation techniques to get started with. Upfront consideration of frequently used microsegmentation methods can help organizations design a phased approach that aligns with their unique security and compliance requirements. Many organizations are familiar with the use of VLANs and other forms of network segmentation. While network segmentation does offer security value, microsegmentation offers much more granularity of control and is much more efficient to deploy and manage at scale. Micro-segmentation is also much more practical to extend beyond the data center to cloud infrastructure than VLANs.

A good first step in microsegmentation policy development is to identify applications and services in the environment that require broad access to many resources. Log management systems, monitoring tools, and domain controllers are a few examples. These types of systems can be granted broad access, but microsegmentation policies can be used to enforce their use only for sanctioned purposes.

There are a number of other methods that organizations can draw from when designing their microsegmentation approach, including:

  • Micro-segmentation by environment
  • Creating regulatory boundaries
  • Micro-segmentation by application type
  • Micro-segmentation by tier

The best way for organizations to get started with microsegmentation is to identify the methods that best align with their security and policy objectives, start with focused policies, and gradually layer additional microsegmentation techniques over time through step-by-step iteration.

Operationalizing Micro-Segmentation to Get You Started

Micro-segmentation is clearly the way forward in protecting networks. Not only is it the answer to the eroding perimeter, it’s cost and manpower effective too. But a successful microsegmentation deployment cannot be slapped together – it requires deliberate and detailed forethought in order to get it all right — the first time around.

There are some things you need to consider thoroughly to establish the groundwork for a successful microsegmentation deployment.
Initially, you need to understand what needs to be segmented. Your microsegmentation deployment will reflect your needs – so determine if you’re segmenting for general risk reduction or for compliance reasons. Next tackle short-term goals, and then deal with long term goals one you have a microsegmentation baseline protecting your assets.

Once that’s complete, get a thorough picture of your environment but know that your initial picture is incomplete. You can (and should) add on more as you learn more about your connections. Know that proper labeling of assets is critical. Also, flexibility in the labeling process is key, as labels need to reflect your environment as closely as possible. Lastly, identify your information sources and plan a way to extract information from them.
These steps will ensure that you’re on your way to a solid and fruitful microsegmentation deployment that will succeed.

This power and flexibility is helpful to any organization considering how to best protect high-value targets like domain controllers, privileged access management systems, and jump servers. It’s also invaluable as organizations adopt cloud services and new application deployment approaches like containers.

Micro-segmentation can also play an important role in securing key vertical-specific applications, including healthcare applications containing protected health information (PHI), financial services applications that are subject to PCI DSS and other regulations, legal applications with client confidentiality implications, and many others. The additional policy granularity that microsegmentation provides makes it easier to create security boundaries around sensitive or regulated data, even when it spans multiple environments and platforms. The added visibility that microsegmentation provides is also extremely valuable during the regulatory audit process.

While IT infrastructure evolution creates new challenges for security teams, decoupling security visibility and policy controls from the underlying infrastructure ensures that critical applications can be secured effectively in heterogeneous environments with a high rate of change.

Micro-Segmentation Security Best Practices

The rise in hybrid-cloud data centers, SaaS and IaaS, and virtualization has led to a complex IT infrastructure which is difficult to secure. In response, microsegmentation is fast becoming security best practice for businesses working in these kinds of dynamic environments. The value this technology provides is varied, from zone segmentation, to application isolation or service restriction.

One important point to consider is whether to choose an approach that is network-centric or application-centric.. While a network-centric approach manages traffic by network choke points, third party controls or network enforcement, an application-centric approach deploys agents onto the workload itself. The latter approach gives advantages such as better visibility, increased opportunity to scale, and is an entirely infrastructure agnostic technology. In order to be future-ready, the right choice will provide coverage for any environment, from legacy systems, bare metal servers and virtualized environments, to containers and the public cloud.

The unparalleled visibility you gain with an application-centric model is what will ensure that you don’t fall into the most common trap when it comes to microsegmentation – over-segmenting your applications. Best practice is to start with what we call ‘early wins’. These will have obvious business need at their core, and be simple segmentation policies that can be put into place and create immediate value. Examples could be as simple as separating environments such as production and development, or meeting compliance regulations by securing critical data or applications.

Lastly, best practice involves looking outside of microsegmentation alone to see where complementary controls can strengthen your security posture overall. Breach detection and incident response are two great examples that can work seamlessly with microsegmentation and are powerful to utilize in an all-in-one package. Without these, your business is left attempting to force third-party solutions to work in harmony without gaps or increased risk – a truly tall order, and an administrative hassle that you don’t need to settle for.

Thinking about these microsegmentation best practices at the outset of your project can lighten the load of implementing this game-changing technology, ensuring that the common stumbling blocks are taken care of from the beginning.

Impact on Compliance

When it comes to meeting regulatory compliance, companies are struggling with the increasingly dynamic environment we work in today. As the regulations themselves get stricter, security audits are becoming more common, and the consequences graver for non-compliance. These include fines, damage to business reputation and even loss of revenue until compliance is achieved.

Physical segregation of IT infrastructure is no longer enough. Workloads have become dynamic, and the CDE is not static, including tiers that allow for auto-scaling or unpredictable changes. Networks and applications that are in scope for PCI DSS regulations are complex. They can span multiple machines, include hybrid environments like containers and VMs, and even work across multiple physical locations or time zones.

Micro-segmentation is becoming a popular choice for meeting compliance regulations such as PCI DSS. The right solution can provide unparalleled visibility into traffic and data flows across your entire infrastructure, including hybrid environments. It can then help you segment your network, reducing the scope and limiting communication at process level. This can keep your CDE protected, even from lateral moves or pivots if a breach occurs. A flexible policy engine for creating rules will ensure that you have ultimate control over your microsegmentation approach, meeting more in-depth requirements such as permissions and behavior for insecure protocols.

For PCI compliance and more, microsegmentation can allow you to gain powerful visibility of all applications and workloads at process level, build flexible policies that drill down to meet compliance regulations, and enforce these to control an overall security posture that has you ready for any audit.

Secure Critical Applications with Guardicore Centra’s Micro-Segmentation Solution